Hi!
I'm trying to configure exim to not accept SSLv3 protocol connections.
With exim, there's only tls_require_ciphers which does not allow
to disable SSLv3 in a similar fashion.
Well, it *does* allow '!SSLv3', but then TLSv1 fails as well.
This can be tested using cnark:
http://blog.techstacks.com/cryptonark.html
http://www.techstacks.com/files/cnark-v0.5.6.tar.gz
and calling the cnark script:
cnark -h my-test-host -p 465 --insecure
Case 1, disable SSLv3:
tls_require_ciphers = HIGH:!SSLv2:!SSLv3:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
cnark gives:
[...]
Testing SSLv3 Ciphers...
Testing TLSv1 Ciphers...
Testing TLSv1.2 Ciphers...
[...]
Case 2, disable only SSLv2:
tls_require_ciphers = HIGH:!SSLv2:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
cnark gives:
[...]
Testing SSLv3 Ciphers...
DHE-RSA-AES256-SHA -- 256 bits, High Encryption, Forward Secrecy
AES256-SHA -- 256 bits, High Encryption
DHE-RSA-AES128-SHA -- 128 bits, High Encryption, Forward Secrecy
AES128-SHA -- 128 bits, High Encryption
Testing TLSv1 Ciphers...
DHE-RSA-AES256-SHA -- 256 bits, High Encryption, Forward Secrecy
AES256-SHA -- 256 bits, High Encryption
DHE-RSA-AES128-SHA -- 128 bits, High Encryption, Forward Secrecy
AES128-SHA -- 128 bits, High Encryption
Testing TLSv1.2 Ciphers...
[...]
With dovecot, besides ssl_cipher_list there's a ssl_protocols field,
as described in:
http://security.stackexchange.com/questions/71872/disable-sslv3-in-dovecot-tls
-handshaking-failed-no-shared-cipher
So setting 'ssl_protocols = !SSlv2 !SSLv3' allows to disable SSLv3.
This is implemented in dovecot-2.2.15 in
dovecot-2.2.15/src/lib-ssl-iostream/iostream-openssl-common.c
with a function openssl_get_protocol_options and maybe exim needs something
similar ?
--
pi@??? +49 171 3101372 6 years to go !
